Howdy, y'all.
I received an email today that's apparently a virus spam-mail; posting details because it looks like it actually used an AK server somewhere along the chain instead of just being totally spoofed.
--
> -----Original Message-----
> From: service@allakhazam.com [mailto:service@allakhazam.com]
> Sent: Thursday, June 02, 2005 1:43 PM
> To: wingchild@allakhazam.com
> Subject: Account Alert
>
>
> We regret to inform you that your account has been suspended due
> to the violation of our site policy, more info is attached.
>
>
--
Attachment: info-text.zip (41kb)
--
Odds are huge that it's a virus spam. The reason I'm bothering to post about it is this..
(note; removed my own back-end name/addy; you don't need them ^^)
--
Return-path: <service@allakhazam.com>
Envelope-to: myname@myaddress.net
Delivery-date: Thu, 02 Jun 2005 13:44:50 -0400
Received: from myname by serverdns.jiffynet-hosting.net with local-bsmtp (Exim 4.44)
id 1DdtkP-0007na-GV
for myname@myaddress.net; Thu, 02 Jun 2005 13:44:50 -0400
Received: from [216.155.41.211] (helo=clstr12.allakhazam.com)
by serverdns.jiffynet-hosting.net with esmtp (Exim 4.44)
id 1DdtkP-0007nW-BP
for brian@wingchild.net; Thu, 02 Jun 2005 13:44:49 -0400
Received: by clstr12.allakhazam.com (Postfix)
id EC87B19D97D; Thu, 2 Jun 2005 13:46:23 -0400 (EDT)
Delivered-To: wingchild@allakhazam.com
Received: from allakhazam.com (unknown [62.149.126.116])
by clstr12.allakhazam.com (Postfix) with ESMTP id 1D61D19D965
for <wingchild@allakhazam.com>; Thu, 2 Jun 2005 13:44:44 -0400 (EDT)
From: service@allakhazam.com
To: wingchild@allakhazam.com
Subject: Account Alert
Date: Thu, 2 Jun 2005 20:43:04 +0300
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_0013_579BCDBC.B9C621AD"
X-Priority: 3
X-MSMail-Priority: Normal
Message-Id: <20050602174444.1D61D19D965@clstr12.allakhazam.com>
X-Spam-Level:
X-Spam-Checker-Version: SpamAssassin 3.0.2 (2004-11-16) on
serverdns.jiffynet-hosting.net
X-Spam-Status: No, score=0.0 required=3.5 tests=BAYES_40,MISSING_MIMEOLE,
NO_REAL_NAME,PRIORITY_NO_NAME autolearn=no version=3.0.2
--
Message-Id: <20050602174444.1D61D19D965@clstr12.allakhazam.com>
Correct me if I'm wrong but it looks like someone is using clstr12.allakhazam.com to send this crap out. That box still has the "our forums crashed" page up if you go to it directly. Any chance that you have an open SMTP relay somewhere that's being spammed through?
Please advise.
Thanks,
Wingchild.
- Forums
- Cross Site
- Site and Forum Feedback
- Virus spam via Allakhazam?
Virus spam via Allakhazam?Follow
Do you have your email address made public?
I used to get tons of spam, then I hid my email address and almost all of it went bye bye.
I used to get tons of spam, then I hid my email address and almost all of it went bye bye.
Wingchild wrote:
Howdy, y'all.
I received an email today that's apparently a virus spam-mail; posting details because it looks like it actually used an AK server somewhere along the chain instead of just being totally spoofed.
--
> -----Original Message-----
> From: service@allakhazam.com [mailto:service@allakhazam.com]
> Sent: Thursday, June 02, 2005 1:43 PM
> To: wingchild@allakhazam.com
> Subject: Account Alert
>
>
> We regret to inform you that your account has been suspended due
> to the violation of our site policy, more info is attached.
>
>
--
Attachment: info-text.zip (41kb)
--
Odds are huge that it's a virus spam. The reason I'm bothering to post about it is this..
(note; removed my own back-end name/addy; you don't need them ^^)
--
Return-path: <service@allakhazam.com>
Envelope-to: myname@myaddress.net
Delivery-date: Thu, 02 Jun 2005 13:44:50 -0400
Received: from myname by serverdns.jiffynet-hosting.net with local-bsmtp (Exim 4.44)
id 1DdtkP-0007na-GV
for myname@myaddress.net; Thu, 02 Jun 2005 13:44:50 -0400
Received: from [216.155.41.211] (helo=clstr12.allakhazam.com)
by serverdns.jiffynet-hosting.net with esmtp (Exim 4.44)
id 1DdtkP-0007nW-BP
for psst@remove.me.in.original.post; Thu, 02 Jun 2005 13:44:49 -0400
Received: by clstr12.allakhazam.com (Postfix)
id EC87B19D97D; Thu, 2 Jun 2005 13:46:23 -0400 (EDT)
Delivered-To: wingchild@allakhazam.com
Received: from allakhazam.com (unknown [62.149.126.116])
by clstr12.allakhazam.com (Postfix) with ESMTP id 1D61D19D965
for <wingchild@allakhazam.com>; Thu, 2 Jun 2005 13:44:44 -0400 (EDT)
From: service@allakhazam.com
To: wingchild@allakhazam.com
Subject: Account Alert
Date: Thu, 2 Jun 2005 20:43:04 +0300
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_0013_579BCDBC.B9C621AD"
X-Priority: 3
X-MSMail-Priority: Normal
Message-Id: <20050602174444.1D61D19D965@clstr12.allakhazam.com>
X-Spam-Level:
X-Spam-Checker-Version: SpamAssassin 3.0.2 (2004-11-16) on
serverdns.jiffynet-hosting.net
X-Spam-Status: No, score=0.0 required=3.5 tests=BAYES_40,MISSING_MIMEOLE,
NO_REAL_NAME,PRIORITY_NO_NAME autolearn=no version=3.0.2
I received an email today that's apparently a virus spam-mail; posting details because it looks like it actually used an AK server somewhere along the chain instead of just being totally spoofed.
--
> -----Original Message-----
> From: service@allakhazam.com [mailto:service@allakhazam.com]
> Sent: Thursday, June 02, 2005 1:43 PM
> To: wingchild@allakhazam.com
> Subject: Account Alert
>
>
> We regret to inform you that your account has been suspended due
> to the violation of our site policy, more info is attached.
>
>
--
Attachment: info-text.zip (41kb)
--
Odds are huge that it's a virus spam. The reason I'm bothering to post about it is this..
(note; removed my own back-end name/addy; you don't need them ^^)
--
Return-path: <service@allakhazam.com>
Envelope-to: myname@myaddress.net
Delivery-date: Thu, 02 Jun 2005 13:44:50 -0400
Received: from myname by serverdns.jiffynet-hosting.net with local-bsmtp (Exim 4.44)
id 1DdtkP-0007na-GV
for myname@myaddress.net; Thu, 02 Jun 2005 13:44:50 -0400
Received: from [216.155.41.211] (helo=clstr12.allakhazam.com)
by serverdns.jiffynet-hosting.net with esmtp (Exim 4.44)
id 1DdtkP-0007nW-BP
for psst@remove.me.in.original.post; Thu, 02 Jun 2005 13:44:49 -0400
Received: by clstr12.allakhazam.com (Postfix)
id EC87B19D97D; Thu, 2 Jun 2005 13:46:23 -0400 (EDT)
Delivered-To: wingchild@allakhazam.com
Received: from allakhazam.com (unknown [62.149.126.116])
by clstr12.allakhazam.com (Postfix) with ESMTP id 1D61D19D965
for <wingchild@allakhazam.com>; Thu, 2 Jun 2005 13:44:44 -0400 (EDT)
From: service@allakhazam.com
To: wingchild@allakhazam.com
Subject: Account Alert
Date: Thu, 2 Jun 2005 20:43:04 +0300
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_0013_579BCDBC.B9C621AD"
X-Priority: 3
X-MSMail-Priority: Normal
Message-Id: <20050602174444.1D61D19D965@clstr12.allakhazam.com>
X-Spam-Level:
X-Spam-Checker-Version: SpamAssassin 3.0.2 (2004-11-16) on
serverdns.jiffynet-hosting.net
X-Spam-Status: No, score=0.0 required=3.5 tests=BAYES_40,MISSING_MIMEOLE,
NO_REAL_NAME,PRIORITY_NO_NAME autolearn=no version=3.0.2
That bolded line is the line that matters. clstr12.allakhazam.com is the server which forwards the emails to your @allakhazam.com address to you. The bolded line shows that the email comes from 62.149.126.116, who said it was allakhazam.com. 62.149.126.116 has no reverse DNS, and comes up in RIPE WHOIS as...
inetnum: 62.149.120.0 - 62.149.127.255 netname: STC-DSLSKY descr: Saudi Telecomm. Co. descr: Saudi Data VSAT Project remarks: For any Abuse or Spamming Please send an e-mail to abuse@saudi.net.sa country: SA admin-c: STCR1-RIPE tech-c: STCR2-RIPE status: ASSIGNED PA "status:" definitions mnt-by: SAUDINET-STC source: RIPE # Filtered
Ah, classic DNS spoofing. Nice catch, Kesac. *quiet applause*
I should have remembered to perform my own WHOIS last night, but I guess I was feeling lazy. *blush*
edit:
Spent an extra minute thinking about it; perhaps clstr12's SMTP service shouldn't be accepting email from hosts that fail a reverse DNS check? It's looking like clstr12 is a poor dupe in all this but safeguards can be put in place to reduce the amount of AK spam that comes through.
By the way, for the curious, I ran the .zip file that was attached through a hex editor for kicks. The file inside is called "info-txt.doc .scr" -- about 15 spaces (hex 20) between the .doc and .scr.
After running it triggers Kernel32.dll and calls for a process list, then begins to unpack a separate executable that has been archived in the file; most of the 41k is that compressed executable.
I don't have a clue what it actually would do and am not about to run it on my system to find out. ^^;
Edited, Fri Jun 3 09:13:05 2005 by Wingchild
I should have remembered to perform my own WHOIS last night, but I guess I was feeling lazy. *blush*
edit:
Spent an extra minute thinking about it; perhaps clstr12's SMTP service shouldn't be accepting email from hosts that fail a reverse DNS check? It's looking like clstr12 is a poor dupe in all this but safeguards can be put in place to reduce the amount of AK spam that comes through.
By the way, for the curious, I ran the .zip file that was attached through a hex editor for kicks. The file inside is called "info-txt.doc .scr" -- about 15 spaces (hex 20) between the .doc and .scr.
After running it triggers Kernel32.dll and calls for a process list, then begins to unpack a separate executable that has been archived in the file; most of the 41k is that compressed executable.
I don't have a clue what it actually would do and am not about to run it on my system to find out. ^^;
Edited, Fri Jun 3 09:13:05 2005 by Wingchild
PsiChi,
Yup, it's public. I suppose I'll restrict it later today.. I don't know that I've ever recieved a legitimate direct mail from someone via AK anyway. ^^
Yup, it's public. I suppose I'll restrict it later today.. I don't know that I've ever recieved a legitimate direct mail from someone via AK anyway. ^^
Wingchild wrote:
PsiChi,
Yup, it's public. I suppose I'll restrict it later today.. I don't know that I've ever recieved a legitimate direct mail from someone via AK anyway. ^^
Yup, it's public. I suppose I'll restrict it later today.. I don't know that I've ever recieved a legitimate direct mail from someone via AK anyway. ^^
*ornery spams Wingchild*
Heh j/k
Recent Visitors: 20
All times are in CST
Anonymous Guests (20)
- Forums
- Cross Site
- Site and Forum Feedback
- Virus spam via Allakhazam?
© 2025 Fanbyte LLC